feat: multiple cleanups

Author: acx1729

compliance/controls/aws/aws_account_alternate_contact_security_registered.yaml

@@ -0,0 +1,61 @@
+ID: aws_account_alternate_contact_security_registered
+Title: "Security contact information should be provided for an AWS account"
+Description: "This control checks if an AWS Web Services (AWS) account has security contact information. The control fails if security contact information is not provided for the account."
+Connector:
+- aws
+Query:
+  Engine: odysseus-v0.0.1
+  QueryToExecute: |
+    with alternate_security_contact as (
+      select
+        name,
+        account_id
+      from
+        aws_account_alternate_contact
+      where
+        contact_type = 'SECURITY'
+    )
+    select
+      arn as resource,
+      kaytu_account_id as kaytu_account_id,
+      kaytu_resource_id as kaytu_resource_id,
+      case
+        when a.partition = 'aws-us-gov' then 'info'
+        -- Name is a required field if setting a security contact
+        when c.name is not null then 'ok'
+        else 'alarm'
+      end as status,
+      case
+        when a.partition = 'aws-us-gov' then a.title || ' in GovCloud, manual verification required.'
+        when c.name is not null then a.title || ' has security contact ' || c.name || ' registered.'
+        else a.title || ' security contact not registered.'
+      end as reason
+      , a.account_id
+    from
+      aws_account as a
+      left join alternate_security_contact as c on c.account_id = a.account_id;
+  PrimaryTable: aws_account
+  ListOfTables:
+  - aws_account
+  - aws_account_alternate_contact
+  Parameters: []
+Severity: low
+Tags:
+  category:
+  - Compliance
+  cis:
+  - "true"
+  cis_item_id:
+  - "1.18"
+  cis_level:
+  - "1"
+  cis_section_id:
+  - "1"
+  cis_type:
+  - not_scored
+  cis_version:
+  - v1.2.0
+  plugin:
+  - aws
+  service:
+  - AWS/IAM

compliance/controls/aws/aws_account_part_of_organizations.yaml

@@ -0,0 +1,43 @@
+ID: aws_account_part_of_organizations
+Title: "AWS account should be part of AWS Organizations"
+Description: "Ensure that an AWS account is part of AWS Organizations. The rule is non-compliant if an AWS account is not part of AWS Organizations or AWS Organizations master account ID does not match rule parameter MasterAccountId."
+Connector:
+- aws
+Query:
+  Engine: odysseus-v0.0.1
+  QueryToExecute: |
+    select
+      arn as resource,
+      kaytu_account_id as kaytu_account_id,
+      kaytu_resource_id as kaytu_resource_id,
+      case
+        when organization_id is not null then 'ok'
+        else 'alarm'
+      end as status,
+      case
+        when organization_id is not null then title || ' is part of organization(s).'
+        else title || ' is not part of organization.'
+      end as reason
+      , region, account_id
+    from
+      aws_account;
+  PrimaryTable: aws_account
+  ListOfTables:
+  - aws_account
+  Parameters: []
+Severity: medium
+Tags:
+  category:
+  - Compliance
+  cis_controls_v8_ig1:
+  - "true"
+  gxp_21_cfr_part_11:
+  - "true"
+  nist_800_53_rev_5:
+  - "true"
+  nist_csf:
+  - "true"
+  plugin:
+  - aws
+  service:
+  - AWS/IAM

compliance/controls/aws/aws_acm_certificate_expires_30_days.yaml

@@ -0,0 +1,66 @@
+ID: aws_acm_certificate_expires_30_days
+Title: "ACM certificates should not expire within 30 days"
+Description: "Ensure network integrity is protected by ensuring X509 certificates are issued by AWS ACM."
+Connector:
+- aws
+Query:
+  Engine: odysseus-v0.0.1
+  QueryToExecute: |
+    select
+      certificate_arn as resource,
+      kaytu_account_id as kaytu_account_id,
+      kaytu_resource_id as kaytu_resource_id,
+      case
+        when renewal_eligibility = 'INELIGIBLE' then 'skip'
+        when date(not_after) - date(current_date) >= 30 then 'ok'
+        else 'alarm'
+      end as status,
+      case
+        when renewal_eligibility = 'INELIGIBLE' then title || ' not eligible for renewal.'
+        else title || ' expires ' || to_char(not_after, 'DD-Mon-YYYY') ||
+        ' (' || extract(day from not_after - current_date) || ' days).'
+      end as reason
+      
+      , region, account_id
+    from
+      aws_acm_certificate;
+  PrimaryTable: aws_acm_certificate
+  ListOfTables:
+  - aws_acm_certificate
+  Parameters: []
+Severity: high
+Tags:
+  category:
+  - Compliance
+  cisa_cyber_essentials:
+  - "true"
+  fedramp_low_rev_4:
+  - "true"
+  fedramp_moderate_rev_4:
+  - "true"
+  ffiec:
+  - "true"
+  gdpr:
+  - "true"
+  hipaa_final_omnibus_security_rule_2013:
+  - "true"
+  hipaa_security_rule_2003:
+  - "true"
+  nist_800_171_rev_2:
+  - "true"
+  nist_800_53_rev_4:
+  - "true"
+  nist_800_53_rev_5:
+  - "true"
+  nist_csf:
+  - "true"
+  pci_dss_v321:
+  - "true"
+  plugin:
+  - aws
+  rbi_cyber_security:
+  - "true"
+  service:
+  - AWS/ACM
+  soc_2:
+  - "true"

compliance/controls/aws/aws_acm_certificate_no_failed_certificate.yaml

@@ -0,0 +1,27 @@
+ID: aws_acm_certificate_no_failed_certificate
+Title: "Ensure that ACM certificates are not in failed state"
+Description: "This control ensures that ACM certificates are not in failed state."
+Connector:
+- aws
+Query:
+  Engine: odysseus-v0.0.1
+  QueryToExecute: |-
+    select
+      certificate_arn as resource,
+      kaytu_account_id as kaytu_account_id,
+      kaytu_resource_id as kaytu_resource_id,
+      case
+        when status in ('VALIDATION_TIMED_OUT', 'FAILED') then 'alarm'
+        else 'ok'
+      end as status,
+      title || ' status is ' || status || '.'  as reason
+      
+      
+    from
+      aws_acm_certificate;
+  PrimaryTable: aws_acm_certificate
+  ListOfTables:
+  - aws_acm_certificate
+  Parameters: []
+Severity: low
+Tags: {}

compliance/controls/aws/aws_acm_certificate_no_pending_validation_certificate.yaml

@@ -0,0 +1,27 @@
+ID: aws_acm_certificate_no_pending_validation_certificate
+Title: "Ensure that ACM certificates are not in pending validation state"
+Description: "This control ensures that ACM certificates are not in pending validation state. When certificates are not validated within 72 hours after the request is made, those certificates become invalid."
+Connector:
+- aws
+Query:
+  Engine: odysseus-v0.0.1
+  QueryToExecute: |-
+    select
+      certificate_arn as resource,
+      kaytu_account_id as kaytu_account_id,
+      kaytu_resource_id as kaytu_resource_id,
+      case
+        when status = 'PENDING_VALIDATION' then 'info'
+        else 'ok'
+      end as status,
+      title || ' status is ' || status || '.'  as reason
+      
+      
+    from
+      aws_acm_certificate;
+  PrimaryTable: aws_acm_certificate
+  ListOfTables:
+  - aws_acm_certificate
+  Parameters: []
+Severity: low
+Tags: {}

compliance/controls/aws/aws_acm_certificate_no_wildcard_domain_name.yaml

@@ -0,0 +1,28 @@
+ID: aws_acm_certificate_no_wildcard_domain_name
+Title: "ACM certificates should not use wildcard certificates"
+Description: "Ensure that ACM single domain name certificates are used instead of wildcard certificates within your AWS account in order to follow security best practices and protect each domain/subdomain with its own unique private key."
+Connector:
+- aws
+Query:
+  Engine: odysseus-v0.0.1
+  QueryToExecute: |-
+    select
+      certificate_arn as resource,
+      kaytu_account_id as kaytu_account_id,
+      kaytu_resource_id as kaytu_resource_id,
+      case
+        when domain_name like '*%' then 'alarm'
+        else 'ok'
+      end as status,
+      case
+        when domain_name like '*%' then title || ' uses wildcard domain name.'
+        else title || ' does not use wildcard domain name.'
+      end as reason
+    from
+      aws_acm_certificate;
+  PrimaryTable: aws_acm_certificate
+  ListOfTables:
+  - aws_acm_certificate
+  Parameters: []
+Severity: low
+Tags: {}

compliance/controls/aws/aws_acm_certificate_not_expired.yaml

@@ -0,0 +1,34 @@
+ID: aws_acm_certificate_not_expired
+Title: "Ensure that all the expired ACM certificates are removed"
+Description: "This control ensures that all expired ACM certificates are removed from AWS account."
+Connector:
+- aws
+Query:
+  Engine: odysseus-v0.0.1
+  QueryToExecute: |-
+    select
+      certificate_arn as resource,
+      kaytu_account_id as kaytu_account_id,
+      kaytu_resource_id as kaytu_resource_id,
+      case
+        when renewal_eligibility = 'INELIGIBLE' then 'skip'
+        when date(not_after) < (current_date - interval '1' minute) then 'alarm'
+        else 'ok'
+      end as status,
+      case
+        when renewal_eligibility = 'INELIGIBLE' then title || ' not eligible for renewal.'
+        when date(not_after) < (current_date - interval '1' minute) then title || ' expired ' || to_char(not_after, 'DD-Mon-YYYY') ||
+        ' (' || extract(day from not_after - current_date) || ' days ago).'
+        else title || ' expires ' || to_char(not_after, 'DD-Mon-YYYY') ||
+        ' (' || extract(day from not_after - current_date) || ' days).'
+       end as reason
+      
+      
+    from
+      aws_acm_certificate;
+  PrimaryTable: aws_acm_certificate
+  ListOfTables:
+  - aws_acm_certificate
+  Parameters: []
+Severity: low
+Tags: {}

compliance/controls/aws/aws_acm_certificate_rsa_key_length_2048_bits_or_greater.yaml

@@ -0,0 +1,32 @@
+ID: aws_acm_certificate_rsa_key_length_2048_bits_or_greater
+Title: "RSA certificates managed by ACM should use a key length of at least 2,048 bits"
+Description: "This control checks whether RSA certificates managed by AWS Certificate Manager use a key length of at least 2,048 bits. The control fails if the key length is smaller than 2,048 bits."
+Connector:
+- aws
+Query:
+  Engine: odysseus-v0.0.1
+  QueryToExecute: |-
+    select
+      certificate_arn as resource,
+      kaytu_account_id as kaytu_account_id,
+      kaytu_resource_id as kaytu_resource_id,
+      case
+        when not key_algorithm like 'RSA-%' then 'skip'
+        when key_algorithm = 'RSA_1024' then 'alarm'
+        else 'ok'
+      end as status,
+      case
+        when not key_algorithm like 'RSA-%' then title || ' is not a RSA certificate.'
+        when key_algorithm = 'RSA_1024' then title || ' is using 1024 bits key length.'
+        else title || ' is using ' || split_part(key_algorithm, '-', 2) || ' bits key length.'
+      end as reason
+      
+      
+    from
+      aws_acm_certificate;
+  PrimaryTable: aws_acm_certificate
+  ListOfTables:
+  - aws_acm_certificate
+  Parameters: []
+Severity: low
+Tags: {}

compliance/controls/aws/aws_acm_certificate_transparency_logging_enabled.yaml

@@ -0,0 +1,30 @@
+ID: aws_acm_certificate_transparency_logging_enabled
+Title: "ACM certificates should have transparency logging enabled"
+Description: "Ensure ACM certificates transparency logging is enabled as certificate transparency logging guards against SSL/TLS certificates issued by mistake or by a compromised certificate authority."
+Connector:
+- aws
+Query:
+  Engine: odysseus-v0.0.1
+  QueryToExecute: |-
+    select
+      certificate_arn as resource,
+      kaytu_account_id as kaytu_account_id,
+      kaytu_resource_id as kaytu_resource_id,
+      case
+        when type = 'IMPORTED' then 'skip'
+        when certificate_transparency_logging_preference = 'ENABLED' then 'ok'
+        else 'alarm'
+      end as status,
+      case
+        when type = 'IMPORTED' then title || ' is imported.'
+        when certificate_transparency_logging_preference = 'ENABLED' then title || ' transparency logging enabled.'
+        else title || ' transparency logging disabled.'
+      end as reason
+    from
+      aws_acm_certificate;
+  PrimaryTable: aws_acm_certificate
+  ListOfTables:
+  - aws_acm_certificate
+  Parameters: []
+Severity: low
+Tags: {}

compliance/controls/aws/aws_acmpca_root_certificate_authority_disabled.yaml

@@ -0,0 +1,32 @@
+ID: aws_acmpca_root_certificate_authority_disabled
+Title: "AWS Private CA root certificate authority should be disabled"
+Description: "This control checks if AWS Private CA has a root certificate authority (CA) that is disabled. The control fails if the root CA is enabled."
+Connector:
+- aws
+Query:
+  Engine: odysseus-v0.0.1
+  QueryToExecute: |-
+    select
+      arn as resource,
+      kaytu_account_id as kaytu_account_id,
+      kaytu_resource_id as kaytu_resource_id,
+      case
+        when type <> 'ROOT' then 'skip'
+        when status = 'DISABLED' then 'ok'
+        else 'alarm'
+      end as status,
+      case
+        when type <> 'ROOT' then title || ' is not root CA.'
+        when status = 'DISABLED' then title || ' root CA disabled.'
+        else title || ' root CA not disabled.'
+      end as reason
+      
+      
+    from
+      aws_acmpca_certificate_authority;
+  PrimaryTable: aws_acmpca_certificate_authority
+  ListOfTables:
+  - aws_acmpca_certificate_authority
+  Parameters: []
+Severity: low
+Tags: {}